Reference
CredVault
Overview

CredVault

Secure credential storage with versioning, rotation, and audit logging.

Overview

CredVault is the security layer of AionixOne, providing AWS Secrets Manager-like capabilities for storing and managing sensitive credentials locally with encryption at rest.

TRN Pattern

trn:credvault:{tenant}:credential/{name}
trn:credvault:{tenant}:credential/{name}/version/{version}

Key Features

  • Multiple Credential Types — API keys, passwords, certificates, OAuth tokens
  • Versioning — Immutable versions with activation/retirement lifecycle
  • Rotation — Programmatic rotation with audit logging
  • Encryption — AES-256 at rest with master key management
  • DSL Integration — Reference via $secret.{name} syntax in workflows

Quick Example

# Create secret
aio sec create db-password --value "super-secret-123"
 
# Create with type
aio sec create github-token \
  --type api-key \
  --value "ghp_xxxx"
 
# Reveal (requires confirmation)
aio sec reveal db-password
 
# Rotate
aio sec rotate db-password --value "new-secret-456"
 
# List versions
aio sec versions db-password

Credential Types

TypeDescriptionUse Case
passwordPlain text passwordDatabase credentials
api-keyAPI key or tokenThird-party API access
certificateX.509 certificateTLS/SSL
oauth-tokenOAuth2 tokensAuthFlow integration
key-pairPublic/private key pairSSH, signing

DSL Reference

In StepFlow workflows:

{
  "parameters": {
    "apiKey": "{% $secret.github-token %}",
    "dbPassword": "{% $secret.db-password %}"
  }
}

API Endpoints

MethodEndpointDescription
POST/api/v1/credentialsCreate credential
GET/api/v1/credentials/{name}Get credential metadata
POST/api/v1/credentials/{name}/revealReveal credential value
POST/api/v1/credentials/{name}/rotateRotate credential
GET/api/v1/credentials/{name}/versionsList versions

Reference Pages

Documentation in progress. Content will be expanded.

HTTP APICredential Types